There are two preconditions for the attack:
- One of the queries results in 2k valid answer
- One of the queries soft-fails and will be retried
Mitigating (1) with UDP is simple: set maximum UDP buffer size to <2048B 1 That leaves TCP.
To make one of the A,AAAA fail by the upstream (2) can be done by making the resolution chain overly long (attacker is not between stub-resolver), so glibc timeouts and retries. At this point if the glibc retries, resolver MUST NOT ask the origin again otherwise it might provide attack payload. If the resolver caches the previous negative answer or queues the second query to the former one that is being still resolved, the preconditions are met, but the attack payload never reaches the client. This can be mitigated by cache-min-ttl (higher than RTT between stub-resolver, say 5s) for negative answers.
Note: Knot DNS Resolver has 5s minimum cache TTL for negative/failed answers, so that's covered.